Tuesday, June 29, 2010

Firefox Add-ons FTW!

Just a quick post on passwords saved in the browser. After my post on credentials stored in the Windows 7 Vault, I started to think about browser passwords and the risks that lurk there. Chris Gates had a similar thought which he posted about yesterday, and Larry Pesce wrote up a detailed analysis last September.

I personally disable this feature in Firefox but a strong master password would certainly be advisable if you do save passwords within Firefox. While I do not use this feature, I do use a lot of Firefox add-on's. Gmail Notifier, Xmarks Bookmarks, and Echofon Twitter add-on's to name a few. So I naturally turned my attention to those.

I pondered where these add-on's were storing saved credentials. The answer is in same place Firefox stores them. What a more ironic way to verify this than to use a Firefox add-on (SQLLite Manager) to query the signons.sqlite database.

As previously covered by Gates and Pesce, conversion of the encrypted passwords is trivial as long as you also have access to the key3.db and there is no master password configured. If you are interested in the details of this, I suggest checking out the documentation here and tool available here.

While this may have been obvious to others, it was not to me. That is one of the many reasons I love this field.

Update August 09, 2010: Jeremiah Grossman presented his work entitled Breaking Browsers: Hacking Auto-Complete at Black Hat last week. The presentation included examples of using XSS to steal saved credentials in the Firefox and Chrome password managers.

No comments:

Post a Comment

About Me

Infosec geek from Boston, MA with interests in hacking, incident response, digital forensics, and malware analysis. I also enjoy single malt scotch and a good cigar. The purpose of this blog is to get random ideas and thoughts out of my head and onto a medium to share. I also tend to rant quite a bit. Hopefully someone will find it informative or entertaining.

Labels

Followers

Disclaimer

This is a personal blog. The views and opinions expressed here represent my own and not those of any institutions or organizations that I may be affiliated with. This blog may include hyperlinks or comments that link to other websites operated by third parties. I am in no way responsible for the content of linked sites or any suckage of products or services offered by the owners of these sites. The content of this blog represents a snapshot in time of personal thoughts and ideas I decided to share with the hope it may stimulate more dialog on the subject matter covered. That is all it is. I hope you find it interesting and thought provoking!